Cybersecurity: Locks are fine, alarms better

Keeping intruders out has never been an easy task, and it's only getting harder. Big data offers an alternative approach. (Stock image)

Big data is all around us. It's helping fast-food chains and retailers keep customers happy, and it's integral to the now very-public surveillance efforts employed by the intelligence community.

But for federal agencies, one of the most attractive uses of big data and the accompanying analytics it allows for may be in the realm of cyber defense.

While the cybersecurity measures most federal agencies employ continue to improve, statistics show an increasing prevalence of large-scale data breaches in the private sector that almost certainly translates to their government counterparts.

According to Bobby Caudill, global government program director for Teradata, new data suggests that if sophisticated outsiders – including a growing contingent of well-funded nation-state affiliated actors – want specific data, they will find a way to gain access to a system.

Instead of investing loads of money building better locks for protection, Caudill encouraged agencies to develop better alarms that use available data to determine when outsiders have gotten in.

"We've got to look for ways to use data and analytics to recognize these things faster," Caudill said. "The threat landscape is larger. It's more lucrative now than it's ever been."

Caudill cited the banking and credit card industries as innovators in using analytics for improved fraud detection, and said the same analytics can help agencies detect threats and network intruders in near real-time.

The real-time aspect is huge, he said, because most companies and federal agencies aren't aware of data breaches until months after they occur.

According to Verizon's 2013 Data Breach Investigations Report (DBIR), which contains information on upwards of 47,000 cyber-security incidents and 621 confirmed data breaches reported by 19 worldwide partners over the past year, 66 percent of organizations "took months or more to discover" breaches.

Interestingly, the DBIR suggests that 70 percent of such breaches are discovered by external parties, not by the compromised organization. The most common breaches involve malware (40 percent), hacking (52 percent) or the exploitation of weak or stolen credentials (76 percent) according to the DBIR, and about 20 percent of all data breaches were perpetrated by state-affiliated actors such as China.

Imagine what kind of information an intruder could access with months to acclimate to a system, Caudill said.

Corporate attacks are most often driven by financial motives, according to DBIR, and intruders with months to operate could steal trade secrets, proprietary information and employee or customer data. The stakes can be at least as high in a federal environment. Tax data, Social Security numbers, classified and top secret information are all stored in massive quantities within federal networks.

Caudill, citing a Ponemon Institute study, said the problem is scarier for federal agencies because one-third aren't even planning on using big data analytics.

But Caudill said big data analytics has progressed sufficiently as a technology to search for anomalies in network data. Just as banks use analytics to analyze customer transactions and alert customers when iffy behavior occurs, federal agencies can monitor the behavior of users and traffic within their environments.

Caudill stressed that any system of situational awareness requires four key aspects: people, process, technology and data.

"If you leave out any of those things, you have a three-legged dog," Caudill said. "Now a three-legged dog can do some things, but…"

Steven Chabinsky, senior vice president of legal affairs and chief risk officer of Crowdstrike, said yesteryear's failed approaches to cybersecurity highlight the importance of analytics within network systems.

The world is dealing with more potent, tenacious adversaries than ever before, Chabinsky said, and the government isn't doing much in the way of stopping them.

Short of spending more money on identifying specific adversaries and targeting them with offensive cyber initiatives – something Chabinsky said the private sector would welcome– agencies should invest in better threat detection because the threats aren't going to stop.

Analytics represents the best current approach to identifying threats when they break through security, and the faster those threats are discovered and isolated, the less data they're likely to export and the less harm they're likely to inflict.

"We as a nation and security community have been following a failed approach to security," Chabinsky said. "It should not surprise anybody that we are failing miserably."

The Department of Homeland Security banned the Russian cybersecurity company Kaspersky Lab’s products from federal agencies in a new binding operational directive.

Reader comments

Thu, Sep 19, 2013
Dave Tindell

Frank, good article but have to agree with the comments of the reader above that infrastructure should be a top priority since many of the new system incorporate greater controls and monitoring capabilities. Adding analytics to this will help identify the anomalies associated with illegal intrusion then alert appropriate entities of the finding and automatically lockdown or reduce bandwidth.
Since big data really is a big target for cyber-attacks and intrusion due its nature and volume, being prepared to monitor, analyze and control both external and internal access is of utmost importance to both the data owners and those the data represent. All four legs are needed for real stability.

Mon, Sep 16, 2013

The title of your article contradicts the comments of the security experts. You need all four to have have better security. Having alarms without improving the locks fails to remediate the situation. We are being told to invest in better alarms but at the same time cutting the resources we use to remediate the situation while at the same time expanding the avenues subject to attack. Big data analytics is hyping the need, when the need is really to upgrade the infrastructure. Legacy systems and equipment on networks threaten other connected systems because of their unmitigated vulnerabilities. Older tools for remediation are not being updated because of this "need" for cyber analytics. If you don't have the basic, modern tools for hardening, you don't need cyber analytics. A parallel to this is the hype about money need for roads and bridges. When money is finally allocated, it doesn't go towards repairing the crumbling bridges and roads but to the "smart" high tech roads built with sensors. The sensors tell you how dangerous the road is becoming but the problem in repairing it goes unmitigated.

Please post your comments here. Comments are moderated, so they may not appear immediately
after submitting. We will not post comments that we consider abusive or off-topic.